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Abstract 

Security protocols stipulate how the remote principals of a computer network should 
interact in order to obtain specific security goals. The crucial goals of confidentiality and 
authentication may be achieved in various forms, each of different strength. Using soft 
(rather than crisp) constraints, we develop a uniform formal notion for the two goals. 
They are no longer formalised as mere yes/no properties as in the existing literature, 
but gain an extra parameter, the security level. For example, different messages can enjoy 
different levels of confidentiality, or a principal can achieve different levels of authentication 
with different principals. 

The goals are formalised within a general framework for protocol analysis that is 
amenable to mechanisation by model checking. Following the application of the framework 
to analysing the asymmetric Needham-Schroeder protocol (Bella and Bistarolli 200f 
|Bella and Bistarelli pear} , we have recently discovered a new attack on that protocol as a 
form of retaliation by principals who have been attacked previously. Having commented 
on that attack, we then demonstrate the framework on a bigger, largely deployed protocol 
consisting of three phases, Kerberos. 
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1 Overview 

A number of applications ranging from electronic transactions over the In- 
ternet to banking transactions over financial networks make use of secu- 
rity protocols. It has been shown that the protocols often fail to meet 
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their claimed goals IjAbadi and Needham 19961 ILowe 19 96). so a number of 
approaches for analysing them formally have been developed IjLowe 19951 
Bella and Riccobene 19971 IPaulson 19981 IBodei et al. 20011 IBodei et al. 19961 
IFocardi et al. 2000bl IFocardi et al. 2000al lAbadi 19971 lAbadi and Gordon 1997jl . 
The threats to the protocols come from malicious principals who manage to mon- 
itor the network traffic building fake messages at will. A major protocol goal is 
confidentiality, confirming that a message remains undisclosed to malicious princi- 
pals. Another crucial goal is authentication, confirming a principal's participation 
in a protocol session. These goals are formalised in a mere "yes or no" fashion in 
the existing literature. One can just state whether a key is confidential or not, or 
whether a principal authenticates himself with another or not. 

Security goals are not simple boolean properties. "Security is not a simple 
boolean predicate; it concerns how well a system performs certain func- 
tions" IjAnderson 19 93 ). Indeed, experience shows that system security officers exer- 
cise care in applying any firm boolean statements to the real world even if they were 
formal. In general, formal security proofs are conducted within simplified models. 
Therefore, security officers attempt to bridge the gap between those models and the 
real word by adopting the largest possible variety of security measures all together. 
For example, firewalls accompany SSH connections. Limiting the access to certain 
ports of a server is both stated on the firewall and on the server itself. Biometric 
technology recently set aside the use of passwords to strengthen authentication lev- 
els of principals. Still, principals' credentials can be constrained within a validity 
time interval. The officer shall balance the cost of an extra security measure with 
his perception of the unmanaged risks. Any decision will only achieve a certain 
security level. 

Security levels also characterise security patches ( |Foley 2002| > . Each patch in fact 
comes with a recommendation that is proportionate to the relevance of the secu- 
rity hole the patch is meant to fix. Patches may be critical, or recommended, or 
suggested, or software upgrade, etc. Depending on the cost of the patch and on the 
relevance of the hole, the security officer can decide whether or not to upgrade the 
system. It is a security policy what establishes the maximum level up until a patch 
can be ignored. 

This all confirms that real-world security is based on security levels rather than 
on categorical, definitive, security assurances. In particular, security levels char- 
acterise the protocol goals of confidentiality and authentication. Focusing on the 
former goal, we remark that different messages require "specific degrees of protec- 
tion against disclosure" ( |Gray 2001) ). For example, a user password requires higher 
protection than a session key, which is only used for a single protocol session. In- 
tuitively, a password ought to be "more confidential" than a session key. Also, a 
confidentiality attack due to off-line cryptanalysis should not be imputed to the 
protocol design. Focusing on authentication, we observe that a certificate stating 
that K is a principal ^4's public key authenticates A very weakly. The certificate 
only signifies that A is a registered network principal, but in fact confers no guar- 
antee about ^4's participation in a specific protocol session. A message signed by 
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^4's private key authenticates A more strongly, for it signifies that A participated 
in the protocol in order to sign the message. 

Our original contributions. We have developed enriched formal notions for the two 
goals. Our definitions of l-confidentiality and of I- authentication highlight the se- 
curity level I. One of the advantages of formalising security levels is to capture the 
real-world non-boolean concepts of confidentiality and authentication. 

Each principal assigns his own security level to each message — different levels 
to different messages — expressing the principal's trust on the confidentiality of the 
message. So, we can formalise that different goals are granted to different principals. 
By a preliminary analysis, we can study what goals the protocol achieves in ideal 
conditions where no principal acts maliciously. An empirical analysis may follow, 
whereby we can study what goals the protocol achieves on a specific network con- 
figuration arising from the protocol execution in the real world. Another advantage 
of formalising security levels is that we can variously compare attacks — formally. 

Our security levels belong to a finite linear order. Protocol messages can be 
combined (by concatenation or encryption) or broken down (by splitting or 
decryption) into new messages. We must be able to compute the security levels of 
the newly originated messages out of those of the message components. Therefore, 
we introduce a semiring whose career set is the set of security levels. Its two 
functions provide the necessary computational capabilities. Our use of a semiring 
is loosely inspired to Denning's use of a lattice to characterising secure flows of 
information through computer systems ( |Denning 1976| ). The idea of using levels to 
formalise access rights is in fact due to her. Denning signals an attack whenever an 
object is assigned a label worse than that initially specified. We formalise protocol 
attacks in the same spirit. 

Another substantial contribution of the present work is the embedding of a novel 
threat model in a framework for protocol analysis. Our threat model regards all 
principals as attackers if they perform, either deliberately or not, any operation 
that is not admitted by the protocol policy. Crucially, it allows any number of non- 
colluding attackers. This overcomes the limits of Dolev and Yao's popular threat 
model l|Dolev and Yao 1 983 1, which reduces a number of colluding principals to a 
single attacker. The example that follows shows the deeper adherence of our threat 
model to the real world, where anyone may attempt to subvert a protocol for his 
(and only his) own sake. 

Let us consider Lowe's popular attack on the asymmetric Needham-Schroeder 
protocol QLowe 199511 within Dolev and Yao's threat model. It sees an attacker C 
masquerade as A with B, after A initiated a session with C . This scenario clearly 
contains an authentication attack following the confidentiality attack whereby C 
learns 5's nonce Nb for A. Lowe reports that, if B is a bank for example, C can 
steal money from A's account as follows l|Lowe 1 9951 

C -> B : $Na,Nb, "Transfer $ 1000 from A's account to C's"} Kb 

where -Jm^ stands for the ciphertext obtained encrypting message m with key 
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K (external brackets of concatenated messages are omitted). The bank B would 
honour the request believing it came from the account holder A. 

We argue that the analysis is constrained by the limitations of the threat model. 
Plunging Lowe's scenario within our threat model highlights that B has mounted 
an indeliberate confidentiality attack on nonce Na, which was meant to be known 
to A and C only. As C did previously, B can equally decide to illegally exploit his 
knowledge of Na. If A is a bank, B can steal money from C"s account as follows 

B -> A : jNa,Nb, "Transfer $ 1000 from C's account to B's"} Ka 

The bank A would honour the request believing it came from the account holder 
C. 

The details of our findings on the Needham-Schroeder protocol can be found 
elsewhere pSella an d Bista relli pear| . Our empirical analysis of the protocol 
uniformly detects both attacks in terms of decreased security levels: both C's 
security level on Nb and B's security level on Na become lower than they would 
be if C didn't act maliciously. 

The framework presented throughout this paper supersedes an existing ker- 
nel IjBella and Bistarelli 200 ll |Bella and~ Bistarcll i pearj ) by extending it with five 
substantial features. I) The principles of the new threat model that allows all prin- 
cipals to behave maliciously. II) The combination of preliminary and empirical 
analyses. Ill) The study of the authentication goal. IV) The formalisation of an 
additional event whereby a principal discovers a secret by cryptanalysis — this al- 
lows a larger number of network configurations to be studied through an empirical 
analysis. V) A comprehensive study of how message manipulation and exposure to 
the network lowers the security level of the message — this is implemented by a 
new algorithm called RiskAssessment. 

Since we only deal with bounded protocols and finite number of principals, our 
framework is amenable to mechanisation by model checking, although this exceeds 
the purposes of the present paper. 

Findings on the running example — Kerberos. We demonstrate our framework on 
a largely deployed protocol, Kerberos. Our preliminary analysis of the protocol 
formally highlights that the loss of an authorisation key would be more serious 
than the loss of a service key by showing that the former has a higher security 
level than the latter. By similar means, the preliminary analysis also allows us to 
compare the protocol goals in the forms they are granted to initiator and responder. 
It shows that authentication of the responder with the initiator is weaker than that 
of the initiator with the responder. To the best of our knowledge, developing such 
detailed observations formally is novel to the field of protocol analysis. 

The empirical analysis that follows studies an example scenario in which a form 
of cryptanalysis was performed. The analysis highlights how that event lowers a 
number of security levels, and so lowers confidentiality and authentication for a 
number of principals. 
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Paper outline. After an outline on semiring-based Soft Constraints Satisfaction 
Problems (SCSPs) (321, our framework for protocol analysis is described (©. Then, 
the Kerberos protocol is introduced (Q and analysed (©. Some conclusions (SJHJ 
terminate the presentation. 

2 Soft constraints 

Several formalisations of the concept of soft constraints are currently 
available (fccmex et a l. 1991 I Dubois et al. fflMI IFreuder and Wallace 19921 
IFargier and Lang~ 993). In the following, we refer to one that is based on c- 
semirings l|Bistarelli 20011 IBistarelli et al. 19971 IBistarelli et al. 200l|) . which can 
be shown to generalise and express many of the others. 

A soft constraint may be seen as a constraint where each instantiation of its 
variables has an associated value from a partially ordered set. Combining constraints 
will then have to take into account such additional values, and thus the formalism 
has also to provide suitable operations for combination (x) and comparison (+) 
of tuples of values and constraints. This is why this formalisation is based on the 
concept of semiring, which is just a set plus two operations. 

A semiring is a tuple (A,+, x, 0, 1) such that: 

• A is a set and 0,1 £ 4; 

• + is commutative, associative and is its unit element; 

• x is associative, distributes over +, 1 is its unit element and is its absorbing 
element. 

A c-semiring is a semiring (A +, x, 0, 1) such that: + is idempotent, 1 as its ab- 
sorbing element and x is commutative. 

Let us consider the relation <$ over A such that a <s b iff a+ b = b. Then it is 
possible to prove that (see (Bistarcll i et al. 1997|l '): 

• <s is a partial order; 

• + and x arc monotone on <$', 

• is its minimum and 1 its maximum; 

• {A, <s) is a complete lattice and, for all a, b € A, a + b = lub(a, b). 

Moreover, if x is idempotent, then: + distributes over x; (A,<s) is a complete 
distributive lattice and x its gib. 

Informally, the relation <$ gives us a way to compare (some of the) tuples of 
values and constraints. In fact, when we have a <s b, we will say that b is better 
than a. Below, a <$ b will be often indicated by a < b. 

A constraint system is a tuple CS — {S, T>, V) where S is a c-semiring, I? is a 
finite set (the domain of the variables) and V is an ordered set of variables. 

Given a semiring S — (A,+, x,0, 1} and a constraint system CS = (S,T>,V), a 
constraint is a pair {def, con) where con C V and def : 2?l con l — > A. Therefore, a 
constraint specifies a set of variables (the ones in con), and assigns to each tuple of 
values of these variables an element of the semiring. 

A soft constraint problem is a pair (C, con) where con C V and C is a set of 
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constraints: con is the set of variables of interest for the constraint set C , which 
however may concern also variables not in con. 

Notice that a classical CSP is a SCSP where the chosen c-semiring is: 

Scsp — ({false, true}, V, A, false, true)- 

Fuzzy CSPs HDubois et al. 1993l|Ruttkay 1994|ISchiex 1992|l can instead be mod- 
elled in the SCSP framework by choosing the c-semiring: 

Sfcsp — ([0, 1], max, rain, 0, 1)- 

Figure^ shows the graph representation of a fuzzy CSP. Variables and constraints 
are represented respectively by nodes and by undirected (unary for c\ and C3 and 
binary for C2) arcs, and semiring values are written to the right of the corresponding 
tuples. The variables of interest (that is the set con) are represented with a double 
circle. Here we assume that the domain D of the variables contains only elements 
a and b. 




Fig. 1. A fuzzy CSP 



Combining and projecting soft constraints. Given two constraints c\ — (def \, con\) 
and C2 = (def 2 , con 2 ), their combination c\ ® c 2 is the constraint (def, con) defined 
by con = con 1 Ucon 2 and def(t) = def^t j™^) xdef 2 (t |™n 2 )' wnere t ly denotes 
the tuple of values over the variables in Y , obtained by projecting tuple t from X to 
Y . In words, combining two constraints means building a new constraint involving 
all the variables of the original ones, and which associates to each tuple of domain 
values for such variables a semiring element which is obtained by multiplying the 
elements associated by the original constraints to the appropriate subtuples. 

Given a constraint c = (def , con) and a subset / of V, the projection of c over 
/, written c J|/ is the constraint (def' , con') where con' — con n / and def'(t') = 
^2t/ti con =t' def(t). Informally, projecting means eliminating some variables. This 
is done by associating to each tuple over the remaining variables a semiring element 
which is the sum of the elements associated by the original constraint to all the 
extensions of this tuple over the eliminated variables. 

In short, combination is performed via the multiplicative operation of the semi- 
ring, and projection via the additive operation. 

Solutions. The solution of an SCSP problem P = (C, con) is the constraint 
Sol(P) = (0 C) JJ-con- That is, we combine all constraints, and then project over 
the variables in con. In this way we get the constraint over con which is "induced" 
by the entire SCSP. 
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For example, each solution of the fuzzy CSP of Figure^ consists of a pair of do- 
main values (that is, a domain value for each of the two variables) and an associated 
semiring element. Such an element is obtained by looking at the smallest value for 
all the subtuples (as many as the constraints) forming the pair. For example, for 
tuple (a, a) (that is, x = y = a), we have to compute the minimum between • 9 
(which is the value for x = a), • 8 (which is the value for (x — a, y = a)) and • 9 
(which is the value for y = a). Hence, the resulting value for this tuple is • 8. 

Partial Information and Entailment. A constraint is a relation among a specified 
set of variables. It gives some information on the set of possible values that those 
variables may assume. Such information is usually not complete since a constraint 
may be satisfied by several assignments of values of the variables (in contrast to 
the situation that we have when we consider a valuation, which tells us the only 
possible assignment for a variable). Therefore, it is natural to describe constraint 
systems as systems of partial information (Saraswat 1993). 

The basic ingredients of a constraint system (defined following the information 
systems idea) are a set D* of primitive constraints or tokens, each expressing some 
partial information, and an entailment relation h defined on p(D*) x D* (or its 
extension defined on p(D*) x p(D*), such that u h v iff u h P for all P € v) 
satisfying: 

• u h P for all P G u (reflexivity) and 

• if u h v and »hz, then nhz (transitivity). 

As an example of entailment relation, consider D* as the set of equations over 
the integers; then h could include the pair ({x = 3, x = y}, y = 3), which means 
that the constraint y = 3 is entailed by the constraints x = 3 and x — y. Given 
X G p(D*), let X be the set X closed under entailment. Then, a constraint in an 
information system (p(D*), h) is simply an element of p(D). 

In the SCSP framework a token is simply a soft constraint (that is domain 
assignment and some associated semiring values); the entailment rule will com- 
pute/change new soft constraint (and new levels) IjBistarelli et al. 2002(1 . 

3 Constraint Programming for Protocol Analysis 

This section presents our framework for analysing security protocols. Using soft 
constraints requires the definition of a c-semiring. 

Our security semiring ( t|3.1[l is used to specify each principal's trust on the se- 
curity of each message, that is each principal's security level on each message. The 
security levels range from the most secure (highest, greatest) level unknown to the 
least secure (lowest, smallest) level public. Intuitively, if ^4's security level on m 
is unknown, then no principal (included A) knows m according to A, and, if ^4's 
security level on m is public, then all principals potentially know m according to 
A. The lower ^4's security level on m, the higher the number of principals knowing 
m according to A. For simplicity, we state no relation between the granularity of 
the security levels and the number of principals. 
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Using the security semiring, we define the network constraint system f M3.2l) . which 
represents the computer network on which the security protocols can be executed. 
The development of the principals' security levels from manipulation of the mes- 
sages seen during the protocol sessions can be formalised as a security entailment 
f i]3.3[) . that is an entailment relation between constraints. Then, given a specific 
protocol to analyse, we represent its assumptions in the initial SCSP ( H3.4|l . All ad- 
missible network configurations arising from the protocol execution as prescribed 
by the protocol designers can in turn be represented in the policy SCSP f H3.5(l . We 
also explain how to represent any network configuration arising from the protocol 
execution in the real world as an imputable SCSP ( H3.7jl . 

Given a security level I, establishing whether our definitions of 1-conGdentiality 
f ffiOJl or 1-authentication f ftHty hold in an SCSP requires calculating the solution 
of the imputable SCSP and projecting it on certain principals of interest. The 
higher I, the stronger the goal. For example, unknown-confidentiality is stronger 
than public-confidentiality, or, A'a security level on 5's public key (learnt via a 
certification authority) being public enforces public-authentication of B with A, 
which is the weakest form of authentication. We can also formalise confidentiality 
or authentication attacks. The definitions are given within specific methodologies 
of analysis. 

By a preliminary analysis, we can study what goals the protocol achieves in ideal 
conditions where no principal acts maliciously, namely the very best the proto- 
col can guarantee. We concentrate on the policy SCSP, calculate its solution, and 
project it on a principal of interest. The process yields the principal's security levels, 
which allow us to study what goals the protocol grants to that principal in ideal 
conditions, and which potential attacks would be more serious than others for the 
principal. For example, the most serious confidentiality attacks would be against 
those messages on which the principal has the highest security level. 

An empirical analysis may follow, whereby we can study what goals the protocol 
achieves on a specific network configuration arising from the protocol execution in 
the real world. We concentrate on the corresponding imputable SCSP, calculate its 
solution and project it on a principal of interest: we obtain the principal's security 
levels on all messages. Having done the same operations on the the policy SCSP, 
we can compare the outcomes. If some level in the imputable is lower than the 
corresponding level in the policy, then there is an attack in the imputable one. In 
fact, some malicious activity contributing to the network configuration modelled 
by the imputable SCSP has taken place so as to lower some of the security levels 
stated by the policy SCSP. 

The following, general treatment is demonstrated in 21 

3.1 The Security Semiring 

Let n be a natural number. We define the set L of security levels as follows. 

L = {unknown, private, tradedi, traded^, . . . , traded n , public] 
where unknown is the maximum element of L and public is the minimum one. 
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Although our security levels may appear to resemble Abadi's types (Abadi 1999), 
there is in fact little similarity. Abadi associates each message to either type public, 
or secret, or any, whereas we define n security levels with no bound on n, and each 
principal associates a level of his own to each message as explained in the following. 
Also, while Abadi's public and private cannot be compared, our levels are linearly 
ordered. 

The security levels express each principal's trust on the security of each message. 
Clearly, unknown is the highest security level. We will show how, under a given 
protocol, a principal assigns unknown to all messages that do not pertain to the 
protocol, and to all messages that the principal does not know. A principal will 
assign private to all messages that, according to himself, are known to him alone, 
such as his own long-term keys, the nonces invented during the protocol execution, 
or any secrets discovered by cryptanalysis. In turn, a principal will assign tradedi 
to the messages that are exchanged during the protocol: the higher the index i, the 
more the messages have been handled by the principals, and therefore the more 
principals have potentially learnt those messages. So, public is the lowest security 
level. These security levels generalise, by the tradedi levels, the four levels that we 
have discussed elsewhere l|Bella and BistorellT 2001 1. 

We introduce an additive operator, + sec , and a multiplicative operator, x sec . To 
allow for a compact definition of the two operators, and to simplify the following 
treatment, let us define a convenient double naming: 

- unknown = traded-i 

- private = traded® 

- public = traded n+ \ 

Let us consider an index i and an index j both belonging to the closed interval 
[— 1, 77, + 1] of integers. We define + sec andx sec by the following axioms. 

Ax. 1: tradedi +sec tradedj = traded min ^j^ 
Ax. 2: tradedi x sec tradedj — traded max u^ 

Theorem 1 [Security Semiring) 

The structure S sec = (L, + sec , x sec , public, unknown } is a c-semiring. 
Proof hint 

Clearly, S sec enjoys the same properties as the structure Sfi n ite-fuzzy = 
({ — 1, . . . , n + 1}, max, min, — 1, n + 1). Indeed, the security levels can be mapped 
into the values in the range —1, . . . , n + 1 (unknown being mapped into 0, public 
being mapped into n + 1); + sec can be mapped into function max; x sec can be 
mapped into function min. Moreover, Sfl n ite-fiizzy can be proved a c-semiring as 
done with the fuzzy semiring IjBistarelli et al. 1997|l . □ 

Our security semiring is in fact a linear order, but the general treatment provided 
here complies with the general case where + sec and x sec must be mapped into more 
complex functions than max and min. 
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3.2 The Network Constraint System 

We define a constraint system CS n = (S sec ,T>, V) where: 

• S S ec is the security semiring (|£QJ; 

• V is bounded set of variables. 

• T> is an bounded set of values including the empty message | § and all atomic 
messages, as well as all messages recursively obtained by concatenation and 
encryption. 

We name CS n as network constraint system. The elements of V stand for the 
network principals, and the elements of T> represent all possible messages. Atomic 
messages typically are principal names, timestamps, nonces and cryptographic keys. 
Concatenation and encryption operations can be applied a bounded number of 
times. 

Notice that CS n does not depend on any protocols, for it merely portrays a 
computer network on which any protocol can be implemented. Members of V will 
be indicated by capital letters, while members of T> will be in small letters. 

3.3 Computing the Security Levels by Entailment 

Recall that each principal associates his own security levels to the messages. Those 
levels evolve while the principal participates in the protocol and performs off-line 
operations such as encryption, concatenation, decryption, and splitting. We define 
four rules to compute the security levels that each principal gives to the newly 
generated messages. The rules are presented in Figure|3 where function def is 
associated to a generic constraint projected on a generic principal A. 

Encryption: 

def(mi) = «i; def(m 2 ) = v 2 ; def(^mx} m2 ) = v 3 

def(\mi\ m2 ) = (vx + sec V2) x sec v 3 

Concatenation: 

def (mi) = vi; def (mi) = V2; def(\mi, mi\) = V3; 

def (Inn, mi}) - (vx + sec v 2 ) x sec v 3 
Decryption: 

def (mi) — vi\ de/(m^" 1 ) = v 2 ; def(\mi } m2 ) = ^3; v 2 , v 3 < unknown 
def (mi) = vi x sec v 2 x sec v 3 

Splitting: 

def (mi) = vx; def(m 2 ) = v 2 ; def({mx, ma}) = Ma 
def(mx) = vx x SEC v 3 ; def(m 2 ) = v 2 x sec v 3 

Fig. 2. Computation rules for security levels. 

A message is known to a principal when the principal's security level on that 
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message is lower than unknown. Encryption and concatenation build up new mes- 
sages from known ones. The new messages must not get a worse security level than 
the known ones have. So, the corresponding rules choose the better of the given 
levels. Precisely, if messages mi and m 2 have security levels v\ and respectively, 
then the encrypted message {|?«i^ m2 and the compound message -J mi, ma\, whose 
current level be some V3, get a new level that is the better of v\ and V2, "normalised" 
by V3. This normalisation, which is done in terms of the x sec operator, influences 
the result only if the new level is better than the current level. 

Decryption and splitting break down known messages into new ones. The new 
messages must not get a better security level than the known ones have. So, the 
corresponding rules choose the worse of the given levels by suitable applications of 
x sec , and assign it to the new messages. Recall that, in case of asymmetric cryp- 
tography, the decryption key for a ciphertext is the inverse of the key that was 
used to create the ciphertext. So the rule for decryption considers the inverse of 
message mi and indicates it as n\ . Conversely, in case of symmetric cryptogra- 
phy, we have m 2 x = m 2 . The rule for splitting presupposes that concatenation is 
transparent in the sense that, for any index n, an n-component message can be 
seen as a 2-component message, namely {| 7tzi , 7712, . . . , m n \ = |mi, {| 7722 , ■ ■ ■ , 
We now define a binary relation between constraints. 

Definition 2 [Relation h) 

Consider two constraints Ci, c% S C such that c\ = (def 1 , con) and ci = 
(def 2 , con). The binary relation h is such that c\ h C2 iff def 2 can be obtained 
from def 1 by a number (possibly zero) of applications of the rules in Figurc[21 . 

Theorem 3 [Relation h as entailment relation) 
The binary relation h is an entailment relation. 

Proof hint. 

Relation h enjoys the reflexivity and transitivity properties that are needed to be 
an entailment relation. □ 

In the following, c h represents the reflexive, transitive closure of the entail- 
ment relation h applied to the constraint c. While other entailment relations 
(e.g. (Bistarcll i et al. 20 02)1 involve all constraints that are related by the par- 
tial order <s, the security entailment only concerns the subset of those constraints 
obtainable by application of the four rules in FigureEl 

3.4 The Initial SCSP 

The designer of a protocol must also develop a policy to accompany the protocol. 
The policy for a protocol V is a set of rules stating, among other things, the pre- 
conditions necessary for the protocol execution, such as which messages are public, 
and which messages are private for which principals. 

It is intuitive to capture these policy rules by our security levels Precisely, 
these rules can be translated into unary constraints. For each principal A £ V, we 
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define a unary constraint that states ^4's security levels as follows. It associates 
security level public to those messages that are known to all, typically principal 
names and timestamps; level private to A's initial secrets, such as keys (e.g., ^4's 
long-term key if V uses symmetric cryptography, or ^4's private key if V uses asym- 
metric cryptography, or ^4's pin if V uses smart cards) or nonces; level unknown to 
all remaining domain values (including, e.g., the secrets that A will invent during 
the protocol execution, or other principals' initial secrets). 

This procedure defines what we name initial SCSP for V , which specifies the 
principals' security levels when no session of V has yet started. Notice that the 
constraint store representing each principal's security levels is computed using the 
reflexive, transitive, closure of the entailment relation So, when a new mes- 

sage is invented, the corresponding constraint is added to the store along with all 
constraints that can be extracted by entailment. 

Considerations on how official protocol specifications often fail to provide a sat- 
isfactory policy IjBella et al. 2003jl exceed the scope of this paper. Nevertheless, 
having to define the initial SCSP for a protocol may help pinpoint unknown defi- 
ciencies or ambiguities in the policy. 



3.5 The Policy SCSP 

The policy for a protocol V also establishes which messages must be exchanged 
during a session between a pair of principals while no-one performs malicious ac- 
tivity. The protocol designer typically writes a single step as A — > B : m, meaning 
that principal A sends message m to principal B. The policy typically allows each 
principal to participate in a number of protocol sessions inventing a number of 
fresh messages. Assuming both these numbers to be bounded, a bounded number 
of events may take place | |Durgin et al. 1999| ). Because no principal is assumed to 
be acting maliciously, no message is intercepted, so a message that is sent is cer- 
tain to reach its intended recipient. Therefore, we only formalise the two following 
events. 

1. A principal invents a fresh message (typically a new nonce). 

2. A principal sends a message (constructed by some sequence of applications 
of encryption, concatenation, decryption, and splitting) to another principal, 
and the message is delivered correctly. 

Clearly, additional events can be formalised to capture protocol-specific details, 
such as principal's annotation of sensitive messages, message broadcast, SSL-secure 
trasmission, and so on. 

We read from the protocol policy each allowed step of the form A — > B : m and 
its informal description, which explains whether A invents m or part of it. Then, 
we build the policy SCSP for V by the algorithm in FigureOl 

The algorithm considers the initial SCSP (line 1) and extends it with new con- 
straints induced by each of the events occurring during the protocol execution (line 
2). If the current event is a principal ^4's inventing a message n (line 3), then a 
unary constraint is added on variable A assigning security level private to the do- 
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1. p <- initial SCSP for V; 

2. for each event ev allowed by the policy for V do 

3. if ev = (A invents n, for some A and n) then 

4. p <— p extended with unary constraint on A that assigns 

private to n and unknown to all other messages; 

5. if ei) = (A sends m to B not intercepted, for some A, m and B) then 

6. c <- Soi(p) 

7. let (cte/, con) = c h in newlevel «— RlSKAssESSMENT(de/(m)); 

8. p <— p extended with binary constraint between A and i? that assigns 

newlevel to (-J}, m) and unknown to all other tuples; 

9. return p; 



Fig. 3. Algorithm to construct the policy SCSP for a protocol V. 

main value n, and unknown to all other values (line 4). If that event is a principal 
j4's sending a message m to a principal B (line 5), then the solution of the current 
SCSP p is computed and projected on the sender variable A (line 6), and extended 
by entailment (line 7). The last two steps yield j4's view of the network traffic. In 
particular, also j4's security level on m is updated by entailment. For example, if 
m is built as §Na, Nb§, the security levels of Na and Nb derive from the com- 
puted solution, and then the level of m is obtained by the concatenation rule of the 
entailment relation. 

At this stage, A's security level on m is updated again by algorithm RiskAssess- 
MENT (line 7). As explained in the next section, this shall assess the risks that m 
runs following ^4's manipulation and the exposure to the network. The current 
SCSP can be now extended with a binary constraint on the pair of variables A 
and B (line 8). It assigns the newly computed security level newlevel to the tuple 
({||}, m) and unknown to all other tuples. This reasoning is repeated for each of the 
bounded number of events allowed by the policy. When there are no more events 
to process, the current SCSP is returned as policy SCSP for V (step 9), which is 
our formal model for the idealised protocol. Termination of the algorithm is guar- 
anteed by finiteness of the number of allowed events. Its complexity is clearly linear 
in the number of allowed events, which is in turn exponential in the length of the 
exchanged messages dDurgin et al. 1999) . 

We remark that a binary constraint between (a pair of variables formalising 
respectively) sender and receiver of m, which assigns some newly computed security 
level to the tuple (-{||}-, m) confirms that the receiver's level on m is influenced by 
the event that the constraint formalises, as opposed to the sender's level which is 
not. 

3.6 Assessing the Expected Risk 

Each network event involves some message. The events that expose their messages 
to the network, such as to send or receive or broadcast a message, clearly impose 
some expected risk on those messages — ideal message security is never to use that 
message. The risk function p expresses how the expected risk affects the security 
levels of the messages that are involved. 
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The actual definition of the risk function depends on the protocol policy, which 
should clearly state the expected risk for each network event when the protocol is 
executed in its intended environment. But "often protocols are used in environments 
other than the ones for which they were originally intended" (Meadow s 2001|l . so 
the definition also depends on the specific environment that is considered. 

The risk function should take as parameters the given security level and the 
network event that is influencing that level. The second parameter can be omitted 
for simplicity from this presentation because of the limited number of events we are 
modelling. Indeed, we will only have to compute the function for the network event 
whereby a message is sent on the network (either intercepted or not), whereas if we 
modelled, for example, a broadcast event, then the assessment for that particular 
event would have to yield public. 

The risk function must enjoy the two following properties. 

i. Extensivity. This property means that pQ) < I for any I. It captures the 
requirement that each manipulation of a message decrease its security level 
— each manipulation increases the risk of tampering. 

ii. Monotonicity. This property means that l± < h implies p(h) < p(h) for any 
l\ and la- It captures the requirement that the expected risk preserve the < 
relation between any pair of given security levels. 

Notice that we have stated no restrictions on the values of the risk function. 
Therefore, an initial total order, e.g. l\ < I2, may at times be preserved, such as 
p(k) < p{h), or at other times be hidden, such as p{l\) = p(h)- 

As a simple example of risk function we choose the following variant of the 
predecessor function. It takes a security level and produces its predecessor in the 
linear order induced by + se c on the set L of security levels, unless the given level 
is the lowest, public, in which case the function leaves it unchanged. Our algorithm 
Risk Assessment in general serves to implement the risk function. Figure 01 shows 
the algorithm for our example function. 

RiskAssessment(Z) 

1. let tradedi = I in 

2. if i = n + 1 then I' <- I 

3. else l' <— tradedi+i; 

4. return I'; 

Fig. 4. Implementation for a simple risk function. 

We remark that all considerations we advance in the sequel of this paper merely 
rely on the two properties we have required for a risk function and are therefore 
independent from the specific example function. However, the protocol analyser 
may take, depending on his focus, more detailed risk functions, such as for checking 
originator(s) or recipient(s) of the current event (conventional principals, trusted 
third principals, proxi principals, etc.), the network where it is being performed 
(wired or wireless), and so on. 

One could think of embedding the risk function at the constraint level rather than 
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at a meta-level as we have done. That would be possible by embedding the appro- 
priate refinements in the entailment rules. For example, let us consider an agent's 
construction of a message m = \m\, ma)^, which is currently tradedi, from concate- 
nation of m\ and 7712, which are traded^ and traded^ respectively. The entailment 
rule should first compute the maximum between the levels of the components (that 
is the minimum between the indexes), obtaining tradedmin^^y Then, it should 
compute the minimum between the level just computed and that of m (that is 
the maximum between the indexes), obtaining traded max ( min ( ili2 yiy Finally, the 
rule should apply the risk function. With our example risk function, it should yield 
traded max (min(ii,i2),i)+i- But the security levels would be decremented every time 
the entailment relation were applied. This would violate a general requirement of 
constraint programming, that is c h = c h . Hence, the decrement at the meta level 
is preferable. 

3.7 The Imputable SCSPs 

A real-world network history induced by a protocol V must account for malicious 
activity by some principals. Each such history can be viewed as a sequence of events 
of four different forms. 

1. A principal invents a fresh message (typically a new nonce). 

2. A principal sends a message (constructed by some sequence of applications 
of encryption, concatenation, decryption, and splitting) to another principal, 
and the message is delivered correctly. 

3. A principal sends a message (constructed as in the previous event) to another 
principal, but a third principal intercepts it. 

4. A principal discovers a message by cryptanalysing another message. 

Unlike the first two events, which were formalised also for constructing the policy 
SCSP, the last two are new, as they are outcome of malicious activity. We remark 
that the third event signifies that the message reaches some unexpected principal 
rather than its intended recipient. 

We can model any network configuration at a certain point in any real-world 
network history as an SCSP by modifying the algorithm given in FigureOl as in 
Figure^] (unmodified fragments are omitted). The new algorithm takes as inputs a 
protocol V and a network configuration nc originated from the protocol execution. 
The third type of event is processed as follows: when a message is sent by A to B 
and is intercepted by another principal C, the corresponding constraint must be 
stated on the pair A, C rather than A, B. The fourth type of event is processed by 
stating a unary constraint that assigns private to the cryptanalyser's security level 
on the discovered message. 

The new algorithm outputs what we name an imputable SCSP for V . Both the 
initial SCSP and the policy SCSP may be viewed as imputable SCSPs. Because 
we have assumed all our objects to be bounded, the number of possible network 
configurations is bounded and so is the number of imputable SCSPs for V. 



16 G. Bella and S. Bistarelli 

BuildImputableSCSP('P ! rtc) 



2. for each event ev in nc do 

8.1. if ev = (A sends m to B intercepted by C, for some A, m, B and C) then 

8.2. c <- Sol(p) i). {A} ; 

8.3. let (def, con) = c h in newlevel <— RlSKAssESSMENT"(de/(m)); 

8.4. p <— p extended with binary constraint betweeen A and C that assigns 

newlevel to m) and unknown to all other tuples; 

8.5. if en = (C cryptanalyses n from m, for some C, in and n) then 

8.6. p <— p extended with unary constraint on C that assigns 

private to ra and unknown to all other messages; 



Fig. 5. Algorithm to construct an imputable SCSP for V (fragment). 

3.8 Formalising Confidentiality 

"Confidentiality is the protection of information from disclosure to those not in- 
tended to receive it" l|Neuman and Ts'o 1996|l . This definition is often simplified 
into one that is easier to formalise within Dolev-Yao's (Dol ev and Yao 19 83) model 
with a single attacker: a message is confidential if it is not known to the attacker. 
The latter definition is somewhat weaker: if a principal C who is not the attacker 
gets to learn a session key for A and B, the latter definition holds but the former 
does not. To capture the former definition, we adopt the following threat model: all 
principals are attackers if they perform, either deliberately or not, any operation 
that is not admitted by the protocol policy. As we have discussed in the introduc- 
tion to this paper, our threat model exceeds the limits of Dolev-Yao's by allowing 
us to analyse scenarios with an unspecified number of non-colluding attackers. 

A formal definition of confidentiality should account for the variety of require- 
ments that can be stated by the protocol policy. For example, a message might be 
required to remain confidential during the early stages of a protocol but its loss dur- 
ing the late stages might be tolerated, as is the case with SET l|Bella et al. 2 003 ). 
That protocol typically uses a fresh session key to transfer some certificate once, so 
the key loses its importance after the transfer terminates. 

Another possible requirement is that certain messages, such as those signed 
by a root certification authority to associate the principals to their public 
keys (Bell a et al. 200 3). be entirely reliable. Hence, at least those messages must 
be assumed to be safe from cryptanalysis. Also, a protocol may give different guar- 
antees about its goals to different principals ( Bella 2000 ) , so our definition of con- 
fidentiality must depend on the specific principal that is considered. 

Using the security levels, we develop uniform definitions of confidentiality and 
of confidentiality attack that account for any policy requirement. Intuitively, if a 
principal's security level on a message is /, then the message is 1-conhdential for the 
principal because the security level in fact formalises the principal's trust on the 
security, meant as confidentiality, of the message (see the beginning of Thus, 
if an imputable SCSP features a principal with a lower security level on a message 
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w.r.t. the corresponding level in the policy SCSP, then that imputable SCSP bears 
a confidentiality attack. 

Here, I denotes a generic security level, m a generic message, A a generic principal. 
Also, P indicates the policy SCSP for a generic security protocol, and p and p' some 
imputable SCSPs for the same protocol. We define Sol(P) JJ-{a}= (Def '^,{^4}) , 



The preliminary analysis of the confidentiality goal can be conducted on the policy 
SCSP for the given protocol. 

Let us calculate the solution of the policy SCSP, and project it on some prin- 
cipal A. Let us suppose that two messages m and m' get security levels / and I' 
respectively, I' < I. Thus, even if no principal acts maliciously, m' must be ma- 
nipulated more than m, so A trusts that m' will be more at risk than m. We can 
conclude that the protocol achieves a stronger confidentiality goal on m than on 
m' even if it is executed in ideal conditions. Also, m may be used to encrypt m', 
as is the case with Kerberos ^5.1(1 for example. Therefore, losing m to a malicious 
principal would be more serious than losing m' . We address a principal's loss of m 
as confidentiality attack on m. A more formal definition of confidentiality attack 
cannot be given within the preliminary analysis because no malicious activity is 
formalised. So, the following definition concerns potential confidentiality attacks 
that may occur during the execution 

Definition 5 (Potential, worse confidentiality attack) 

Suppose that there is /-confidentiality of m in P for A, that there is /'-confidentiality 
of m 1 in P for A, and that /' < /; then, a confidentiality attack on m would be worse 
than a confidentiality attack on m' . 



By an empirical analysis, we consider a specific real-world scenario arising from 
the execution of a protocol and build the corresponding imputable SCSP p. If 
the imputable SCSP achieves a weaker confidentiality goal of some message for 
some principal than the policy SCSP does, then the principal has mounted, either 
deliberately or not, a confidentiality attack on the message. 

Definition 6 (Confidentiality attack) 

Confidentiality attack by A on m in p <^==> /-confidentiality of m in P for A A V- 
confidentiality of m in p for A A /' < /. 




3.8.1 Preliminary analysis of confidentiality 



3.8.2 Empirical analysis of confidentiality 




Therefore, there is a confidentiality attack by A on m in p iff def A (m) < 
Def A (m). The more an attack lowers a security level, the worse that attack, so 
confidentiality attacks can be variously compared. For example, let us consider two 
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confidentiality attacks by some agent on a message. If the message is /-confidential 
for the agent in the policy SCSP, but is /'-confidential and /"-confidential respec- 
tively in some imputable SCSPs p and p' for the same agent, then / > /' > I" implies 
that the attack mounted in p' is worse than that in p. Likewise, let us consider two 
messages m and m! that are both /-confidential for some agent in the policy SCSP. 
If m is /'-confidential, and ml is /"-confidential in p, then / > /' > /" implies that 
the attack mounted on m! is worse than that on m. 



The authentication goal enforces the principals' presence in the network and pos- 
sibly their participation in specific protocol sessions. It is achieved by means of 
messages that "speak about" principals. For example, in a symmetric cryptogra- 
phy setting, given a session key Kab relative to the session between principals A 
and B and known to both, message §A, Na\ Kab received by B informs him that 
A is running the session based on nonce Na and key Kab, namely the message 
authenticates A with B. An equivalent message in an asymmetric setting could be 
§Nb\[ Ka -i , which B can decrypt using ^4's public key Also -B's mere knowledge 
of Ka as being A's public key is a form of authentication of A with B. Indeed, 
A must be a legitimate principal because Ka is typically certified by a certificate 
of the form §A, Ka\ K , K ca being the public key of a certification authority. It 
follows that security protocols may use a large variety of message forms to achieve 
the authentication goal — the ISO standard in fact does not state a single form to 
use international Organization for Standardization 19 89). 

In consequence, we declare a predicate speaks about (m, A), but do not provide 
a formal definition for it because this would necessarily have to be restrictive. 
However, the examples above provide the intuition of its semantics. There is 1- 
authentication of B with A if there exists a message such that ^4's security level on 
it is /, and the message speaks about B. This signifies that A received a message 
conveying B's aliveness. 

Definition 7 (I- authentication) 

1-authentication of B with A in p 3m s.t. de/^m) = I < unknown A 

speaksabout(m, B) A def B (m) < unknown. 

The definition says that there is /-authentication of B with A whenever both A 
and B's security levels on a message that speaks about B are less than unknown, / 
being ^4's level on the message. The intuition behind the definition is that messages 
that B sends A for authentication will produce a strong level of authentication if 
they reach A without anyone else's tampering. Otherwise the level of authentication 
gets weaker and weaker. Precisely, the lower ^4's security level on m, the weaker the 
authentication of B with A. 

Weaker forms of authentication hold when, for example, B sends a message speak- 
ing about himself via a trusted third principal, or when a malicious principal over- 
hears the message (recall that each event of sending decreases the security level of 
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the sent message). Our definition applies uniformly to both circumstances by the 
appropriate security level. 

Another observation is that the weakest form, pw&/ic-authcntication, holds for 
example of B with A in an asymmetric-cryptography setting by the certificate for 
S's public key in any imputable SCSP where A received the certificate. Likewise, 
the spy could always forge a public message that speaks about B, e.g. a message 
containing 5's identity. But in fact pitWic-authentication always holds between any 
pairs of principals because principals' names are known to all. 

3. 9. 1 Preliminary analysis of authentication 

As done with the confidentiality goal the preliminary analysis of the au- 

thentication goal can be conducted on the policy SCSP for the given protocol. 

Once we calculate the solution of that SCSP, we can apply our definition of l- 
authentication, and verify what form of authentication is achieved. In particular, 
if there is /-authentication of B with A, and /'-authentication of D with C, I' < I, 
then we can conclude that the protocol achieves a stronger authentication goal of 
B with A, than of D with C . We address a principal's masquerading as B with A 
as authentication attack on A by means of B. A more formal definition of authen- 
tication attack cannot be given at this stage, since no principal acts maliciously in 
the policy SCSP, However, we can compare potential authentication attacks in case 
they happen during the protocol execution. 

Definition 8 {Potential, worse authentication attack) 

Suppose that there is /-authentication of B with A by m in P, that there is V- 
authentication of D with C by m' in P, and that V < I; then an authentication 
attack on A by means of B would be worse than an authentication attack on C by 
means of D . 

3.9.2 Empirical analysis of authentication 

If the policy SCSP P achieves /-authentication of B with A by m, and an imputable 
SCSP p achieves a weaker form of authentication between the same principals by 
the same message, then the latter SCSP bears an authentication attack. 

Definition 9 {Authentication attack) 

Authentication attack on A by means of B in p /-authentication of B with A 
in P A /'-authentication of B with A in p A/' < /. 

If a malicious principal has intercepted a message m that authenticates B with A, 
and forwarded m to B in some imputable SCSP p, then, according to the previous 
definition, there is an authentication attack on A by means of B in p. 

4 The Kerberos Protocol 

Kerberos is a protocol based on symmetric cryptography meant to distribute session 
keys with authentication over local area networks. The protocol has been devel- 
oped in several variants (e.g. IMiller et al. 19 890. and also integrated with smart 
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The layout in Figure|B| shows that Kerberos relies on two servers, the Kerheros 
Authentication Server (Kas in brief), and the Ticket Granting Server (Tgs in brief). 
The two servers are trusted, namely they are assumed to be secure from the spy's 
tampering. They have access to an internal database containing the long-term keys 
of all principals. The database is in turn assumed to be secure. Only the first two 
steps of the protocol are mandatory, corresponding to a principal A's authentication 
with Kas. The remaining steps are optional as they are executed only when A 
requires access to a network resource B. 

Authentication 

1- A -» Kas : A,Tgs,T x 

2- Kas — > A : {authK, Tgs, Ta, {A, Tgs, authK, Ta\ Ktgs \ Ka 

S v ' 

authTicket 

Authorisation 

authTicket authenticatori 

3- A - Tgs : \A, Tgs, authK, Ta\ Ktgs ,U, T a \ MthK , B 

4- Tgs - A : {servK,B,Ts,\A,B,servK,Ts\ Kb \ authK 



Service 

servTicket authenticator2 

5- A - B : '\A,B,servK,Ts\ K l,\A~TXZ2 

6- B -f A : 



authenticator 3 



Fig. 7. The Kerberos protocol. 



In the authentication phase, the initiator ^4 queries Kas with her identity, Tgs 
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and a timestamp T x ; Kas invents a session key and looks up A's shared key in the 
database. It replies with a message sealed by ^4's shared key containing the session 
key, its timestamp Ta, Tgs and a ticket. The session key and the ticket are the 
credentials to use in the subsequent authorisation phase, so we address them as 
authkey and authticket respectively. 

Now, A may start the authorisation phase. She sends Tgs a three-component mes- 
sage including the authticket, an authcnticator sealed by the authkey containing 
her identity and a new timestamp T 2 , and 5's identity. The lifetime of an authcnti- 
cator is a few minutes. Upon reception of the message, Tgs decrypts the authticket, 
extracts the authkey and checks the validity of its timestamp Ta, namely that Ta is 
not too old with respect to the lifetime of authkeys. Then, Tgs decrypts the authcn- 
ticator using the authkey and checks the validity of T 2 with respect to the lifetime 
of authenticators. Finally, Tgs invents a new session key and looks up 5's shared 
key in the database. It replies with a message sealed by the authkey containing the 
new session key, its timestamp Ts, B and a ticket. The session key and the ticket 
are the credentials to use in the subsequent service phase, so we address them as 
servkey and scrvtickct respectively. The lifetime of a servkey is a few minutes. 

Hence, A may start the service phase. She sends B a two-component message 
including the servticket and an authcnticator sealed by the servkey containing her 
identity and a new timestamp T 3 . Upon reception of the message, B decrypts the 
servticket, extracts the servkey and checks the validity of its timestamp Ts. Then, B 
decrypts the authenticator using the servkey and checks the validity of T 3 . Finally, 
B increments T 3 , seals it by the servkey and sends it back to A. 



5 Analysing Kerberos 

As a start, we build the initial SCSP for Kerberos. Figure |H1 shows the fragment 
pertaining to principals A and B. The assignment allkeys — > private signifies that 
the constraint assigns level private to all principals' long-term keys. 



allkeys — * private 
{a) — ► public 
{b) —> public 
(tgs) -f public 

(kas) — * public ( Ka ) ~* private 

(a) -» public ( Kb ) ~* Private 

(b) — ► public (a) — ► public 
(tgs) — ' public (b) — ► public 
(kas) — ► public (tgs) — ► public 

allkeys private (fc as > — public 

(a) — public 
{&) — ^ public 
(tgs) — ► public 
(kas) — ► public 







Fig. 8. The initial SCSP for Kerberos (fragment) 



Then, we build the policy SCSP for Kerberos using algorithm BuildPoli- 
CySCSP (Figure|HJ). FigureElshows the fragment pertaining to principals A and B. 
The components that are specific of the session between A and B, such as times- 
tamps and session keys, are not indexed for simplicity. We remark that the security 
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levels of all other principals on the authkey authK and on the servkey servK are 
unknown. 



a, tgs, T ± ) — > public 

QauthK, tgs, Ta, authT icket\} K a ) — <■ traded-y 
authTicket, authenticator i , b) — » traded 2 
{\scrvK, b, Ts, seruT icket^ authK ) —* traded^ 
servTicket, authenticates?) — * traded^ 
authenticator 3) — ► traded^ 



authTicket = {| a ., tgs, authK, Ta\} K±g 
authenticatori = flo, T 2 \i au±hK 
servTicket = b, servK, Ts$ Kh 

authenticator? = faT^aervK 
authenticatori = {| T3 + l\i servK 



allkcys — * private 

(a) — f public 

(b) — * public 
(tgs) — public 
{kas) — ► public 



allkcys — * private 

{ a) — ► public 
(fc) — * public 
(tgs) — public 
{kas) — ► public 




Fig. 9. The policy SCSP for Kerberos (fragment). 



5. 1 Confidentiality 

The preliminary analysis of confidentiality conducted on the policy SCSP in Fig- 
ure highlights that the late protocol messages get worse security levels than the 
initial ones do. For example, by definition^ there is irarieefo-confidentiality of servK 
for B. By the same definition, it is crucial to observe that A gets authK as tradedi- 
confidential, but gets servK as iradeefe-confidential. So, if we consider a potential 
confidentiality attack whereby A looses authK to some malicious principal other 
than B, and another potential confidentiality attack whereby A or B loose servK 
to some malicious principal, the former would be a worse confidentiality attack than 
the latter, by definitional Indeed, having authK available, one can obtain servK 
from decryption and splitting of message 4. 

We also conduct an empirical analysis of confidentiality by considering, as exam- 
ple a known-ciphertext attack IjStinson 199 53 mounted by some malicious principal 
C on the authenticator of message 3 to discover the authkey pertaining to a princi- 
pal A (and Tgs). We briefly remind how such an attack works. Since both principal 
names and timestamps are public, C knows the body of the authenticator with 
a good approximation — she should just try out all timestamps of, say, the last 
day. First, she invents a key, encrypts the known body with it, and checks whether 
the result matches the encrypted authenticator fetched from the network. If not, 
C "refines" her key IjStinson 1995|> and iterates the procedure until she obtains the 
same ciphertext as the authenticator. At this stage, she holds the encryption key, 
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alias the authkey, because encryption is injective. The entire tampering took place 
off line. 

Along with the authkey for A, principal C also saves a copy of the corresponding 
authticket by splitting message 3 into its components. Then, C forwards message 
3, unaltered, to Tgs, so A can continue and terminate the session accessing some 
resource B. A glimpse to Figure0shows that C is now in a position to conduct, for 
the lifetime of the authkey, the Authorisation and Service phases while he masquer- 
ades as A with some principal D. To do so, C forges an instance 3' of message 3 by 
using the authticket just learnt, by refreshing the timestamp inside the authentica- 
tor (which he can do because he knows the authkey) , and by mentioning the chosen 
principal D. As Tgs believes that the message comes from A, Tgs replies to A with 
a message 4' containing some fresh servkey meant for A and D. Having intercepted 
4', C learns the servkey and therefore can forge an instance 5' for D of message 5. 
Finally, C intercepts 6' and the session terminates without ^4's participation. 
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Fig. 10. An imputable SCSP for Kerberos (fragment). 

Our algorithm BuildImputableSCSP executed on the network configura- 
tion just described produces the imputable SCSP in FigurelTni The SCSP omits 
the constraint corresponding to the Authentication phase between A and Kas. 
Because C intercepts message 3, constraint 3 is stated between A and C. 
Projecting that constraint on C, we have that C's security level on message 
authTicket, authenticatori, b is traded2- By splitting this message, C discovers the 
authticket, so the entailment relation states a unary constraint on C assigning 
traded2 to authTicket. Another unary constraint on C assigns private to authK, 
which is found by cryptanalysis. 

Constraint 3 between C and Tgs assigns traded?, to message 3 because of C's 
rerouting. Projecting that constraint on Tgs, we have by entailment that Tgs's 
security level on authK goes down to traded^, whereas it was tradedi in the policy 
SCSP. Constraint 4 formalises Tgs's reply to A, while the constraints for the rest 
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of the session between A and B are omitted. Constraints 3', 4', 5', and 6' formalise 
the session between C, Tgs, and D. 

At this stage, we can conduct an empirical analysis of confidentiality for each 
of the agents involved in this imputable SCSP. By definition authTicket, 
authenticatori' , and authK are each tradeds-confidential for Tgs in this problem. 
Since they were trader-confidential in the policy SCSP, we conclude by definition^ 
that there is a confidentiality attack by Tgs on each of these messages in the im- 
putable SCSP considered here. The attacks signal C's manipulation of messsage 
3. 

The imputable SCSP also achieves private-confidentiality of authK for C, 
whereas the policy SCSP achieved imfcnotura-confidentiality of authK for C. There- 
fore, there is a confidentiality attack by C on authK in this SCSP. Likewise, there 
is a confidentiality attack by C on authTicket. From constraint 4' we have by en- 
tailment that C's security level on servTicket' and on servK' is traded^ rather 
than unknown as in the policy SCSP, hence we find other confidentiality attacks 
by C on each of these messages. 

There are also confidentiality attacks by D, who gets servTicket', 
authenticator2 , and servK' as traded^, rather than traded^. 

5.2 Authentication 

We now focus on the fragment of policy SCSP for Kerberos given in Figurc[§] to 
conduct the preliminary analysis of the authentication goal. 

By definition[7] there is £raded2-authentication of A with Tgs in the policy SCSP. 
The definition holds for message 3, whose first two components speak about A. 
Also, there is trader-authentication of A with B thanks to message 5, and traded§- 
authentication of B with A due to message 6. While it is obvious that message 5 
speaks about A, it is less obvious that message 6 speaks about B. This is due to 
the use of a servkey that is associated to B. 

We observe that authentication of B with A is weaker than authentication of A 
with B even in the ideal conditions formalised by the policy SCSP. Intuitively, this 
is due to the fact that the servkey has been handled both by A and B rather than 
just by A. Hence, by definition [SJ a principal C's masquerading as A with B would 
be a worse authentication attack than a principal D's masquerading as B with A. 

An empirical analysis of authentication can be conducted on the imputable SCSP 
in FigureEH That SCSP achieves tradeds-authentication of A with B thanks to 
message 5, and tradee^-authentication of B with A due to message 6. Comparing 
these properties with the equivalent ones holding in the policy SCSP, which we have 
seen above, we can conclude by definition that the imputable SCSP considered 
hides an authentication attack on B by means of A, and an authentication attack on 
A by means of B. They are due to C's interception of message 3, which has lowered 
the legitimate protocol participants' security levels on the subsequent messages. 

It is important to emphasize that these authentication attacks could not be cap- 
tured by an equivalent definition of authentication based on crisp, rather than 
soft, constraints. The definition in fact holds in the policy SCSP as well as in the 
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imputable SCSP. What differentiates the two SCSPs is merely the security level 
characterising the goal. 

6 Conclusions 

We have developed a new framework for analysing security protocols, based on a 
recent kernel Bella and Bistarelli 200ll |Bella and Bistarelli pear| . Soft constraint 
programming allows us to conduct a fine analysis of the confidentiality and au- 
thentication goals that a protocol attempts to achieve. Using the security levels, we 
can formally claim that a configuration induced by a protocol achieves a certain 
level of confidentiality or authentication. That configuration may be ideal if every 
principal behaves according to the protocol, as formalised by the policy SCSP; or, 
it may arise from the protocol execution in the real world, where some principal 
may have acted maliciously, as formalised by an imputable SCSP. We can formally 
express that different principals participating in the same protocol session obtain 
different forms of those goals. We might even compare the forms of the same goal 
as achieved by different protocols. 

Our new threat model where each principal is a potential attacker working for 
his own sake has allowed us to detect a novel attack on the asymmetric Needham- 
Schroeder protocol. Once C masquerades as A with B, agent B indeliberately gets 
hold of a nonce that was not meant for him. At this stage, B might decide to exploit 
this extra knowledge, and begin to act maliciously. Our imputable SCSP modelling 
the scenario reveals that 5's security level on the nonce is lower than that allowed 
by the policy. 

There is some work related to our analysis of Kerberos, such as Mitchell et 
al.'s analysis by model checking f Mi tche l l et al. 1997(1 . They consider a version of 
Kerberos simplified of timestamps and lifetimes — hence authkeys and servkeys 
cannot be distinguished — and establish that a small system with an initiator, 
a responder, Kas and Tgs keeps the two session keys secure from the spy. Bella 
and Paulson ({Bella and Paulson 1998(1 verify by theorem proving a version with 
timestamps of the same protocol. They do prove that using a lost authkey will let 
the spy obtain a servkey. On top of this, one can informally deduce that the first 
key is more important than the second in terms of confidentiality. By contrast, our 
preliminary analysis of the protocol states formally that the authkey is tradedi- 
confidential and the servkey is fraded3-confidential ( H5.1J1 . Another finding is the 
difference between authentication of initiator with responder and vice versa fi !5.2(l . 

Some recent research exists that is loosely related to ours. Millen and Shamatikov 
l(Millen an d Shmatikov 2001 ) map the existence of a strand representing the attack 
upon a constraint problem. Comon et al. l|Comon et al. 200T)l . and Amadio and 
Charatonik (Am adio and Ch aratonik 2002!) solve confidentiality and reachability 
using Set-Based Constraint (Pacholski and Podelski 1997). By constrast, we build 
suitable constraint problems for the analysis of a global network configuration where 
any principals (not just one) can behave maliciously. In doing so, we also analyse 
the safety of the system in terms of the consequences of a deliberate attack on the 
environment. The idea of refinements | |De Schreye et al.~1 995) is also somewhat 
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related to our use of levels. In that case the original protocol must be specialised 
in order to be able to map the known/unknown level over the set of levels specified 
by the policy. The policy have also to specify how the levels have to be changed 
w.r.t. each operation described in the protocol. Abstract interpretation techniques 
(much in the spirit of those used by Bistarelli et al. (Bista relli et al. 2002J) ') can be 
used as a next step to deal with unbounded participants/sessions/messages. 

While mechanical analysis was outside our aims, we have implcmentated a me- 
chanical checker for /-confidentiality on top of the existing Constraint Handling Rule 
(CHR) framework (Bistarel li et al. 2002J1 . For example, when we input the policy 
SCSP for the Needham-Schroeder protocol and the imputable SCSP corresponding 
to Lowe's attack, the checker outputs 

checking (agent (a) ) 
checking (agent (b) ) 

attack(n_a, policy_level (unknown) , attack_level (traded_l) ) 
checking (agent (c) ) 

attack(enk(k(a) ,pair(n_a,n_b)) , policy_level (unknown) , 

attack_level (traded_l) ) 

attack(n_b, policy_level (unknown) , attack_level (tradedl) ) 

The syntax seems to be self-explanatory. Line two reveals the new attack we have 
found on B, who has lowered his security level on Na from unknown to traded\. 
Likewise, line three denounces that not only has C got hold of the nonce Nb but also 
of the message H-ZVa, Nb\ K (which was meant for A and not for B) that contains 
it. 

At this stage, integrating our framework with model-checking tools appears to be 
a straightforward exercise. The entailment relation must be extended by a rule per 
each of the protocol messages in order to compute their security levels. Hence, our 
constraints would be upgraded much the way multisets are rewritten in the work by 
Cervesato et al. l|Cervesato et al. 1999J) (though they only focus on a single attacker 
and their properties are classical yes/no properties). Then, once suitable size lim- 
its are stated, the imputable SCSPs could be exhaustively generated and checked 
against our definitions of confidentiality and authentication. Alternatively, the pro- 
tocol verifier might use our framework for a finer analysis of network configurations 
generated using other techniques. 
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